From 441da3baad4720c4ff62f2b6eda1cc6af08ab1b8 Mon Sep 17 00:00:00 2001 From: arno Date: Thu, 20 Aug 2009 12:14:05 +0200 Subject: [PATCH] avoid html injection in item title --- js/syp.js | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/js/syp.js b/js/syp.js index a7586ca..8ebc302 100644 --- a/js/syp.js +++ b/js/syp.js @@ -212,8 +212,9 @@ var SYP = { } var contentHTML; if (feature.cluster[0].attributes.name) { + // escaping name is necessary because it's not enclosed in another html tag. contentHTML = "

" + - feature.cluster[0].attributes.name + + SYP.Utils.escapeHTML(feature.cluster[0].attributes.name) + "

" + feature.cluster[0].attributes.description; } else { @@ -384,6 +385,18 @@ var SYP = { } div.style.display = "block"; div.appendChild(textNode); + }, + + escapeHTML: function (str) { + if (!str) { + return ""; + } + return str. + replace(/&/gm, '&'). + replace(/'/gm, '''). + replace(/"/gm, '"'). + replace(/>/gm, '>'). + replace(/